Top Five Small Business Internet Security Threats

Default-Image-10

Ron Teixeira of the National Cyber Security AllianceEditor’s Note: A key trend coloring the world of small business is how our computers have transformed into critical business systems that we cannot function without. But don’t think your computer systems are safe from attack because it “won’t happen to my business.” In fact, it could. Ron Teixeira, Executive Director of the National Cyber Security Alliance outlines the top five computer threats that small businesses may face and what to do about them, in this guest article.

By Ron Teixeira

Over the past two years, there have been a number of high-profile data breach cases involving major corporations. While this may give the perception that only large corporations are targeted by hackers and thieves, the reality is that hackers are increasingly targeting small businesses because they usually do not have the resources or know-how that large corporations do.

However, that does not mean small businesses need to spend a large sum of money and resources to protect themselves for the latest threats. In fact, according to a recent Symantec Threat Report, 82% of data that was either lost or stolen could have been avoided if the business followed a simple cyber security plan.

In order to begin development of a cyber security plan, you must understand the Internet threats and how protecting your business from those threats directly affects your bottom-line. As a result, the National Cyber Security Alliance, whose partners include the Department of Homeland Security, the Federal Bureau of Investigations, Small Business Administration, National Institute for Standards and Technology, Symantec, Microsoft, CA, McAfee, AOL and RSA, developed top 5 threats your small business may face on the Internet, business cases on how those threats can hurt you and practical measures you can take to avoid these threats.

Here is a summary of the top five threats:

  • #1: Malicious Code. A northeast manufacturing firm software bomb destroyed all the company programs and code generators. Subsequently the company lost millions of dollars, was dislodged from its position in the industry and eventually had to lay off 80 workers. To make sure this doesn’t happen to you, install and use anti-virus programs, anti-spyware programs, and firewalls on all computers in your business. Moreover, ensure that all computer software is up-to-date and contains the most recent patches (i.e., operating system, anti-virus, anti-spyware, anti-adware, firewall and office automation software).
  • #2: Stolen/Lost Laptop or Mobile Device. Last year, a Department of Veterans Affairs’ employee’s laptop was stolen from his home. The laptop contained 26.5 million veterans’ medical history. In the end, the laptop was recovered and the data was not used; however, the VA had to notify 26.5 million veterans of the incident, resulting in Congressional hearings and public scrutiny. To make sure this does not happen to you, protect your customers’ data when transporting it anywhere on a portable device by encrypting all data that resides in it. Encryption programs encode data or make it unreadable to outsiders, until you enter a password or encryption key.
  • #3: Spear Phishing. A medium-size bicycle manufacturer relied heavily on email to conduct business. In the normal course of a business day, the company received as many as 50,000 spam and phishing emails. In one case, an employee received a “spear phishing” email that looked like it came from the IT Department, and asked the employee to confirm the “administrator password.” Luckily for the company, when the employee asked the line manager for the “administrator password” he investigated further and realized the email was a scam. To make sure this does not happen to you, instruct all employees to contact their manager, or simply pick up the phone and contact the person who sent the email directly. It’s important to make your employees aware of what a spear phishing attack is and to be on the look out for anything in their in-box that looks suspicious.
  • #4: Unsecured Wireless Internet Networks. According to news reports, hackers pulled off the “biggest data breach ever” through a wireless network. A global retail chain had over 47 million customers’ financial information stolen by hackers who cracked through a wireless network that was secured by the lowest form of encryption available to the company. Currently, this security breach has cost the company $17 million, and in particular $12 million in one quarter alone, or 3 cents per share. To make sure this doesn’t happen to you, hen setting up a wireless network, make sure the default password is changed and make sure you encrypt your wireless network with WPA (Wi-Fi Protected Access).
  • #5: Insider/Disgruntled Employee Threat. A former employee for a company handling flight operations for major automotive companies, deleted critical employment information two weeks after he resigned from his position. The incident caused around $34,000 in damages. To make sure this does not happen to you, divide critical functions and responsibilities among employees within the organization, limiting the possibility that one individual could commit sabotage or fraud without the help of other employees within the organization.

Read on below for more information and detailed advice about how to protect your computer systems —

1. Malicious Code (Spyware/Viruses/Trojan Horse/Worms)

According to a 2006 FBI Computer Crime Study, malicious software programs comprised the largest number of cyber attacks reported, which resulted in an average loss of $69,125 per incident. Malicious software are computer programs secretly installed on your business’s computer and can either cause internal damage to a computer network like deleting critical files, or can be used to steal passwords or unlock security software in place so a hacker can steal customer or employee information. Most of the time, these types of programs are used by criminals for financial gain through either extortion or theft.

Case Study:

A northeast manufacturing firm captured contracts worth several million dollars to make measurement and instrumentation devices for NASA and the US Navy. However, one morning workers found themselves unable to log on to the operating system, instead getting a message that the system was “under repair.” Shortly after, the company’s server crashed, eliminating all the plant’s tooling and manufacturing programs. When the manager went to get back up tapes, he found they were gone and the individual workstations had also been wiped out. The company’s CFO testified that the software bomb had destroyed all the programs and code generators that allowed the firm to customize their products and thus lower costs. The company subsequently lost millions of dollars, was dislodged from its position in the industry, and eventually had to lay off 80 workers. The company can take some solace in the fact that the guilty party was eventually arrested and convicted.

Advice:

  • Install and use anti-virus programs, anti-spyware programs, and firewalls on all computers in your business.
  • Ensure that your computers are protected by a firewall; firewalls can be separate appliances, built into wireless systems, or a software firewall that comes with many commercial security suites.
  • Moreover, ensure that all computer software is up-to-date and contains the most recent patches (i.e., operating system, anti-virus, anti-spyware, anti-adware, firewall and office automation software).

2. Stolen/Lost Laptop or Mobile Device

Believe it or not, stolen or lost laptops are one of the most common ways businesses lose critical data. According to a 2006 FBI Crime Study (PDF), a stolen or lost laptop usually resulted in an average loss of $30,570. However, a high profile incident, or an incident that requires a company to contact all their customers, because their financial or personal data might have been lost or stolen, can result in much higher losses due to loss of consumer confidence, damaged reputation and even legal liability.

Case Study:

Last year, a Department of Veterans Affair’s employee took a laptop home that contained 26.5 million veterans’ medical history. While the employee was not home, an intruder broke in and stole the laptop containing the veterans’ data. In the end, the laptop was recovered and the data was not used; however, the VA had to notify 26.5 million veterans of the incident, resulting in Congressional hearings and public scrutiny. This phenomena is not limited to the government, in 2006 there were a number of high profile corporate cases involving lost or stolen laptops that resulted in data breaches. A laptop containing 250,000 Ameriprise customers was stolen from a car. Providential Health Care Hospital System had a laptop stolen, which contained thousands of patients’ medical records.

Advice:

  • Protect your customers’ data when transporting it anywhere on a portable device by encrypting all data that resides in it. Encryption programs encode data or make it unreadable to outsiders, until you enter a password or encryption key. If a laptop with sensitive data is stolen or lost, but the data is encrypted, it is highly unlikely that anyone will be able to read the data. Encryption is your last line of defense if data is lost or stolen. Some encryption programs are built into popular financial and database software. Simply check your software’s owner’s manual to find out if this feature is available and how to turn it on. In some cases you may need an additional program to properly encrypt your sensitive data.

3. Spear Phishing

Spear phishing describes any highly targeted phishing attack. Spear phishers send e-mail that appears genuine to all the employees or members within a certain company, government agency, organization, or group. The message might look like it comes from an employer, or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources or the person who manages the computer systems, and could include requests for user names or passwords.

The truth is that the e-mail sender information has been faked or “spoofed.” Whereas traditional phishing scams are designed to steal information from individuals, spear phishing scams work to gain access to a company’s entire computer system.

If an employee responds with a user name or password, or if you click links or open attachments in a spear phishing e-mail, pop-up window, or Web site, they might put your business or organization at risk.

Case Study:

A medium size bicycle manufacturer that produced bikes that were used in well known races, relied heavily on email to conduct business. In the normal course of a business day, the company received as many as 50,000 spam and phishing emails. As a result, the company installed numerous spam filters in an attempt to shield employees from fraudulent emails. However, many fraudulent emails still go through to employees. In one case, an employee received a “spear phishing” email that looked like it came from the IT Department, and asked the employee to confirm the “administrator password.” Luckily for the company, when the employee asked the line manager for the “administrator password” he investigated further and realized the email was a scam. While this example didn’t result in a financial loss, it could easily have, and is a common problem for all businesses.

Advice:

  • Employees should never respond to spam or pop-up messages claiming to be from a business or organization that you might deal with for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. Legitimate companies will not ask for sensitive information via email or a link.
  • In addition, if an employee receives an email that looks like it’s from another employee, and asks for password or any type of account information, they shouldn’t respond to it, or provide any sensitive information via email. Instead, instruct the employee to contact their manager, or simply pick up the phone and contact the person who sent the email directly.
  • It’s important to make your employees aware of what a spear phishing attack is and to be on the look out for anything in their in-box that looks suspicious. The best way to avoid becoming a victim of a spear phishing attack is to let everyone know it’s happening before anyone loses any personal information.

4. Unsecured Wireless Internet Networks

Consumers and businesses are quickly adopting and implementing wireless Internet networks. According to an InfoTech Study, wireless Internet networks penetration will reach 80% by 2008. While wireless Internet networks provide businesses an opportunity to streamline their networks and build out a network with very little infrastructure or wires, there are security risks businesses need to address while using wireless Internet networks. Hackers and fraudsters can gain entry to businesses’ computers through an open wireless Internet network, and as a result, could possibly steal customer information, and even proprietary information. Unfortunately, many businesses don’t take the necessary measures to secure their wireless networks. According to a 2005 Symantec/Small Business Technology Institute Study, 60% of small businesses have open wireless networks. In addition, many other small businesses may not use strong enough wireless security to protect their systems. Not properly securing a wireless network is like leaving a business’s door wide open at night.

Case Study:

According to news reports, hackers pulled off the “biggest data breach ever” through a wireless network. A global retail chain had over 47 million customers’ financial information stolen by hackers who cracked through a wireless network that was secured by the lowest form of encryption available to the company. In 2005, two hackers allegedly parked outside a store and used a telescope wireless antenna to decode data between hand-held payment scanners, enabling them to break into parent company database and make off with credit and debit card records of nearly 47 million customers. It is believed the hackers had access to the credit card database for over two years without being detected. Instead of using the most up to date encryption software to secure its wireless network – Wi-Fi Protected Access (WPA), the retail chain used an old form of encryption called Wireless Equivalent Privacy (WEP), which according to some experts can be easily hacked in as little as 60 seconds. Currently, this security breach has cost the company $17 million, and in particular $12 million in one quarter alone, or 3 cents per share.

Advice:

  • When setting up a wireless network, make sure the default password is changed. Most network devices, including wireless access points, are pre-configured with default administrator passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Changing default passwords makes it harder for attackers to take control of the device.
  • Moreover, make sure you encrypt your wireless network with WPA encryption. WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) both encrypt information on wireless devices. However, WEP has a number of security issues that make it less effective than WPA, so you should specifically look for gear that supports encryption via WPA. Encrypting the data would prevent anyone who might be able to monitor your network wireless traffic from viewing your data.

5. Insider/Disgruntled Employee Threat

A disgruntled employee or an insider can be more dangerous than the most sophisticated hacker on the Internet. Depending on your business’s security policies and password management, insiders may have direct access to your critical data, and as a result can easily steal it and sell it to your competitor, or even delete all of it, causing irreparable damage. There are steps and measures you can take to prevent an insider or disgruntled employee from getting access to key information and damaging your computer networks.

Case Study:

A former employee for a company handling flight operations for major automotive companies, deleted critical employment information two weeks after he resigned from his position. The incident caused around $34,000 in damages. According to reports, the employee was upset about being released by the company earlier than he had anticipated. Allegedly, the company’s firewall was compromised and the perpetrator broke into the employee data base and deleted all the records. Statements from the company indicate that the disgruntled former employee was one of only three people who knew the log-in and password information for the firewall that protected the employee data base.

Advice:

There are a number of ways your company can protect itself from insider or disgruntled employee threats:

  • Divide critical functions and responsibilities among employees within the organization, limiting the possibility that one individual could commit sabotage or fraud without the help of other employees within the organization.
  • Implement strict password and authentication policies. Make sure every employee uses passwords containing letters and numbers, and do not use names or word.
  • Moreover, be sure to change passwords every 90 days, and most importantly, delete an employee’s account or change the passwords to critical systems, after an employee leaves your company. This makes it harder for disgruntled employees to damage your systems after they have left.
  • Perform due diligence BEFORE you hire someone. Do background checks, educational checks, etc to ensure that you are hiring good people.

* * * * *

About the Author: As the executive director of the National Cyber Security Alliance (NCSA), Ron Teixeira is responsible for the overall management of cyber security awareness programs and national education efforts. Teixeira works closely with various government agencies, corporations and non-profits to increase awareness of Internet security issues and to empower home users, small businesses and the education community with tools and best practices designed to ensure a safe and meaningful Internet experience.

8 Comments ▼

Ron Teixeira




8 Reactions

  1. Thanks Ron for this wonderful overview of security threats to small businesses. I think a lot of these things are often overlooked by small business owners, and they could save a lot of time and money if they were just a little more proactive in their business security.

  2. Thanx a million Ron for the article it helps lot to learn things. its just a wonderful piece of writing.

  3. Communicating about IT security with users often falls on deaf ears for two reasons: users believe that system security is the job of the IT department, and users are made to feel stupid by being chastised and punished by the IT department that’s supposed to be helping them.
    http://coopermann.com/2013/08/01/it-security-and-engaging-users-to-reduce-vulnerability/

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



Who influences you? Nominate for the 2014 Small Business Influencer Awards.